Understand the TTL in DNS zone SOA record

binddomain-name-system

Lets say I create a reverse zone-file for 192.0.2.0/24 network in my DNS server and my DNS server will be the authoritative for reverse-zone 2.0.192.in-addr.arpa. In this reverse zone-file I create Start of Authority record with following parameters:

$ dig @localhost -t SOA 2.0.192.in-addr.arpa. +noall +answer
2.0.192.in-addr.arpa. 604800 IN      SOA     primary-DNS-server secondary-DNS-server 2015010600 28800 7200 1209600 86400
$

Am I correct that the DNS TTL for this reverse-zone is 86400 seconds? And this means that if recursive(caching) name-server asks a PTR record from this zone, then this recursive name-server will cache the result for 86400 seconds?

Best Answer

Back in 1997, that would have been one correct SOA record interpretation of several. :) Things were a little more ambiguous back then.

RFC 2308 reclassified the last field of the SOA record as the negative caching interval, otherwise known as the NCACHE field. RFC2308 §4 is the most applicable here. It not only redefines this as the NCACHE field, but also explains why coding the default TTL into the SOA record would have been misguided to begin with. (emphasis for the latter is in bold)

4 - SOA Minimum Field

The SOA minimum field has been overloaded in the past to have three different meanings, the minimum TTL value of all RRs in a zone, the default TTL of RRs which did not contain a TTL value and the TTL of negative responses.

Despite being the original defined meaning, the first of these, the minimum TTL value of all RRs in a zone, has never in practice been used and is hereby deprecated.

The second, the default TTL of RRs which contain no explicit TTL in the master zone file, is relevant only at the primary server. After a zone transfer all RRs have explicit TTLs and it is impossible to determine whether the TTL for a record was explicitly set or derived from the default after a zone transfer. Where a server does not require RRs to include the TTL value explicitly, it should provide a mechanism, not being the value of the MINIMUM field of the SOA record, from which the missing TTL values are obtained. How this is done is implementation dependent.

The Master File format [RFC 1035 Section 5] is extended to include the following directive:
                       $TTL <TTL> [comment]
All resource records appearing after the directive, and which do not explicitly include a TTL value, have their TTL set to the TTL given in the $TTL directive. SIG records without a explicit TTL get their TTL from the "original TTL" of the SIG record [RFC 2065 Section 4.5].

The remaining of the current meanings, of being the TTL to be used for negative responses, is the new defined meaning of the SOA minimum field.

Breaking this down:

The last field of the SOA record (NCACHE) specifies how long remote nameservers should cache a negative response if a query results in NXDOMAIN.
The default TTL is defined either by a default in the software configuration, or something equivalent to the $TTL directive for text based zone files.
As a consequence of this implementation, there is no way to query a remote nameserver via the DNS protocol to determine the default TTL for a zone. $TTL and family are not records, therefore you cannot query for them and they will not survive a zone transfer. (instead, all missing TTLs will be replaced with this value at the time of zone transfer)

As Andy says, the default TTL is moot if the individual records specify their own TTLs.

Related Solutions

Debian – Setting up a DNS name server for a mass virtual host with Bind9

Looking at the IP addresses in your resolv.conf I get the feeling that your BIND server is on 192.168.1.52. As far as I can tell, you can't specify in resolv.conf something like "for these domains, use this name server". Basically, your BIND server will never be queried. As you can see in your dig lookup (which is incorrect, it is asking for a reverse DNS entry), it tries 80.58.0.33, which I assume is your provider's DNS server.

You already set up BIND as caching nameserver by using the 'forwarders' option, so what you need to do is have only 192.168.1.52 in the client PCs as nameserver.

To see if your BIND is configured correctly, try this:

dig example.test @192.168.1.52

Global Reverse DNS look-ups not working

You've set it up correctly on your server, but your server is not marked as authoritative for 123.5.253.159.in-addr.arpa. Your reverse DNS is managed by your ISP (the whole 5.253.159.in-addr.arpa zone):

; <<>> DiG 9.7.3-P3 <<>> ns 5.253.159.in-addr.arpa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43579
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2

;; QUESTION SECTION:
;5.253.159.in-addr.arpa.        IN  NS

;; ANSWER SECTION:
5.253.159.in-addr.arpa. 86010   IN  NS  ns3.uxw.nl.
5.253.159.in-addr.arpa. 86010   IN  NS  ns4.uxw.nl.

You have 2 solutions to solve that:

ask your ISP to define the 123.5.253.159.in-addr.arpa record for you on their DNS (ns3.uxw.nl and ns4.uxw.nl),
ask your ISP to delegate the 123.5.253.159.in-addr.arpa record to your server, as per the RFC 2317, this is just a matter of defining a CNAME pointing to a new record on a new zone on your DNS (you then have to define this special zone on your DNS, your ISP will tell you how to name this new zone).

First solution is probably the quickest, but if you change your server's name in the future, you've got to ask them to change it again. Second solution is the most flexible, if your ISP is willing to support RFC 2317. If your ISP is providing you with more than a single address, reverse DNS can be delegated for all of them (the whole range) so you can be in charge. I'd recommend you to ask for that.

This similar question is worth reading.

Trivia: a few years ago (5, or 10 years back), some people were advocating against RFC-2317, because some DNS clients couldn't handle the reverse queries well. However, I don't think that is relevant anymore, RFC-2317 exists for about 15 years now.

Best Answer

Related Solutions

Debian – Setting up a DNS name server for a mass virtual host with Bind9

Global Reverse DNS look-ups not working

Related Topic